[strongSwan] Handling of overlapping tunnel establishment

Joern Mewes joern.mewes at gmx.net
Fri Jul 24 09:54:12 CEST 2015 

Hi all,

We came across a problem during the last days which was causing us
some headache and hope someone has an idea how to solve it.

We are running a VPN between a Linux system running strongswan 5.2.2
and a Juniper SRX system. The VPNs are being established "on traffic"
meaning both peers are going to establish a VPN tunnel if there is
traffic for the other side.

An external event breaking the connection between the two peers
(network outage, routing issue...) will lead to a situation where both
peers are going to clear the SAs and start sending IKE-INIT messages
to reestablish the tunnel. As the network connection is still broken
these IKE-INITs are not being answered and both endpoints start
retransmitting the packets due to their locally configured
retransmission timers.

If the network connection gets up during these retransmission
intervals both peers will be able to complete the half-open SA
negotiations, however we see from the logs that strongswan is going to
delete the 2nd Child-SA pair immediately after establishment. This
behavior is ok for us in general (and in line with what Martin
described in https://lists.strongswan.org/pipermail/users/2013-September/005294.html)
however in our case this leads to problems as strongswan only delete
the 2nd  Child-SA but keeps the corresponding  IKE-SA.

In our case we see that the Juniper system is retransmitting the
IKE-INIT in a shorter interval than strongswan. That leads to a
situation on which the tunnel initiated by Juniper gets established
first and strongswan  later deletes it's own the Child-SA. The Juniper
system now tries to establish Child-SA by using this IKE-SA
established by strongswan which again gets refused by strongswan. For
us it seems that the Juniper system requires Child-SA established by
the "latest established" IKE-SA which results  in a kind of
Create_Child_SA loop and a traffic outage until next IKE-SA rekeying.

So in again in short the messages flow as we see it from logs and traces:

- Firstly “Juniper as initiator” tunnel established. Tunnel is fine /
traffic is fine.

- now “strongwan as initiator” tunnel established. Immediately
strongswan deletes Child SA of its own initiated tunnel

- for outgoing traffic the SPI from the first Child SA is used by strongswan

- in case of traffic from the  Juniper to strongswan , Juniper sends
CREATE_CHILD_SA request to create  a Child-Sa on the strongswan
initiated IKE-SA, traffic drops.

- strongswan rejects this Child-SA request again, traffic stays down
till next IKE-SA rekeying.

I am wondering if strongswan behaves correctly in this case. Based on
my understanding strongswan should either

1.- close the half-open SA and stop retransmitting the IKE-INIT if
there is already an active SA or
2.- close both CHIlD-SA and IKE-SA if it detects double Child-SA pairs

Is there any chance to achieve one of the two as mentioned above by
configuration change? Or do you see it as a fault on the Juniper side?

Looking forward to your comments.

Thanks and best regards,

Joern

More information about the Users mailing list